学习基于记录,而不止于记录。
希望自己能坚持下去~
0.写在前面
记录Spring security常见的formLogin表单验证模式。
spring boot版本:2.2.7.RELEASE
开发工具:IntelliJ IDEA 2018.3.2 (Ultimate Edition)
jdk: java version "1.8.0_181"
maven: 3.3.9
1.编写配置类
SecurityConfig.java
package com.grj.securityDemo.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
import org.springframework.security.crypto.password.PasswordEncoder;
/**
* @Author: grj
* @Date: 2020/6/1 20:10
*/
@Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter {
@Override
protected void configure(HttpSecurity http) throws Exception {
//关闭这项拦截功能,要不然后面测试都无法进行
http.csrf().disable();
//登录任何人都可以访问
//pageA和pageB只有拥有user或者admin权限才可以访问
//syslog和sysuser只有拥有admin权限才可以访问
http.formLogin()
.loginPage("/login.html")
.loginProcessingUrl("/login")
.defaultSuccessUrl("/index")
.and()
.authorizeRequests()
.antMatchers("/login.html", "/login").permitAll()
.antMatchers("/pageA.html", "pageB.html")
.hasAnyAuthority("ROLE_user", "ROLE_admin")
.antMatchers("/syslog.html", "/sysuser.html")
//这两种方式写法是等同的
// .hasAnyRole("admin")
.hasAnyAuthority("ROLE_admin")
.anyRequest().authenticated();
}
@Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.inMemoryAuthentication()
.withUser("user")
.password(passwordEncoder().encode("123456")) //密码123456加密
.roles("user")
.and()
.withUser("admin")
.password(passwordEncoder().encode("123456"))
// .authorities("/syslog", "/sysuser")
.roles("admin")
.and()
.passwordEncoder(passwordEncoder()); //配置加密方式
}
//加密方式
@Bean
public PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
TestController.java
package com.grj.securityDemo.controller;
import org.springframework.stereotype.Controller;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PostMapping;
@Controller
public class TestController {
// 登录
@PostMapping("/login")
public String index(String username,String password) {
return "index.html";
}
// 登录成功之后的首页
@GetMapping("/index")
public String index() {
return "index.html";
}
// 日志管理
@GetMapping("/syslog")
public String showOrder() {
return "syslog.html";
}
// 用户管理
@GetMapping("/sysuser")
public String addOrder() {
return "sysuser.html";
}
// 具体业务一
@GetMapping("/pageA")
public String pageA() {
return "pageA.html";
}
// 具体业务二
@GetMapping("/pageB")
public String pageB() {
return "pageB.html";
}
}
还有一些静态页面,大同小异我只放几个
login.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>我的登录页</title>
</head>
<body>
<h2>登录页面</h2>
<form action="/login" method="post">
<input name="username" type="text" placeholder="请输入用户名"><br>
<input name="password" type="password" placeholder="请输入密码"><br>
<input type="submit" value="登录">
</form>
</body>
</html>
index.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>我的主页</title>
</head>
<body>
<h2>主页</h2>
<a href="/pageA">A</a><br>
<a href="/pageB">B</a><br>
<a href="/syslog">syslog</a><br>
<a href="/sysuser">sysuser</a>
</body>
</html>
pageA.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>A页面</title>
</head>
<body>
<h2>A页面</h2>
</body>
</html>
3.测试user
1)用user登录
image.png
2)进入主页
image.png
3)测试权限,上面两个超链接可以进去,下面两个则不行(403权限不足)
image.png
image.png
4.测试admin
测试过程大同小异,部分截图省略
1)用admin登录,进入主页,并且访问四个超链接都是可以的
2)权限测试
image.png
4.总结
目前这种用户和密码依旧是直接写入在内存中,并且我们没有自定登录失败和自定义登录成功处理方法,后续将对这些进行不足。
